我正在将explorer.exe内注入一个DLL来挂接CreateProcess,这样我就可以在用户打开某些可执行文件时进行拦截(我选择此挂接方法是因为我想了解有关挂接的更多信息,我知道可以使用WMI来完成,或者其他方法)。
我用来挂接的库是:
DDetours
该钩子正在运行,并且我执行的每个应用程序都会弹出在HookProc中设置的消息框,但是在消息框之后,explorer.exe崩溃。
注入DLL的代码工作正常,并且如果我只是注入一个空的dll或仅带有一个消息框的dll,则一切正常。因此,我认为问题出在挂钩设置中。这是DLL代码:
library DLL;
uses
Windows, DDetours;
{$R *.res}
var
CreateProcessHook: function(var lpApplicationName:String;
lpCommandLine:String;
lpProcessAttributes:IntPtr;
lpThreadAttributes:IntPtr;
bInheritHandles:Boolean;
dwCreationFlags:Int32;
lpEnvironment:IntPtr;
lpCurrentDirectory:IntPtr;
lpStartupInfo:STARTUPINFO;
lpProcessInformation:PROCESS_INFORMATION): Boolean; stdcall = nil;
function InterceptCreateProcess(lpApplicationName:String;
lpCommandLine:String;
lpProcessAttributes:IntPtr;
lpThreadAttributes:IntPtr;
bInheritHandles:Boolean;
dwCreationFlags:Int32;
lpEnvironment:IntPtr;
lpCurrentDirectory:IntPtr;
lpStartupInfo:STARTUPINFO;
lpProcessInformation:PROCESS_INFORMATION): Boolean; stdcall;
begin
MessageBoxA(0, 'Process created :)', 'Hooked', 0);
end;
procedure DLLMain(dwReason: DWORD);
begin
case dwReason of
DLL_PROCESS_ATTACH:
begin
MessageBoxA(0,'Injected', 'Injected', MB_OK);
@CreateProcessHook:= InterceptCreate(@CreateProcess, @InterceptCreateProcess);
end;
end;
end;
begin
DLLProc := @DLLMain;
DLLMain(DLL_PROCESS_ATTACH);
end.
如您所见,InterceptCreateProcess只是显示一个消息框,当我打开某些可执行文件时,此框将起作用,但是就像上面说的那样,资源管理器会崩溃。我认为这与CreateProcess函数变量的声明有关。有小费吗?
一切都是64位
最佳答案
您的挂钩函数与CreateProcess()的正确签名不匹配。尝试以下方法:
library DLL;
uses
Windows, DDetours;
{$R *.res}
var
CreateProcessHook: function(lpApplicationName: PChar;
lpCommandLine: PChar;
lpProcessAttributes, lpThreadAttributes: PSecurityAttributes;
bInheritHandles: BOOL;
dwCreationFlags: DWORD;
lpEnvironment: Pointer;
lpCurrentDirectory: PChar;
const lpStartupInfo: STARTUPINFO;
var lpProcessInformation: PROCESS_INFORMATION): BOOL; stdcall = nil;
function InterceptCreateProcess(lpApplicationName: PChar;
lpCommandLine: PChar;
lpProcessAttributes, lpThreadAttributes: PSecurityAttributes;
bInheritHandles: BOOL;
dwCreationFlags: DWORD;
lpEnvironment: Pointer;
lpCurrentDirectory: PChar;
const lpStartupInfo: STARTUPINFO;
var lpProcessInformation: PROCESS_INFORMATION): BOOL; stdcall;
begin
Result := CreateProcessHook(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation);
MessageBox(0, 'CreateProcess', 'Hooked', 0);
end;
procedure DLLMain(dwReason: DWORD);
begin
case dwReason of
DLL_PROCESS_ATTACH:
begin
@CreateProcessHook := InterceptCreate(@CreateProcess, @InterceptCreateProcess);
MessageBox(0, 'Injected', 'Injected', MB_OK);
end;
DLL_PROCESS_DETACH:
begin
InterceptRemove(@CreateProcessHook);
end;
end;
end;
begin
DLLProc := @DLLMain;
DLLMain(DLL_PROCESS_ATTACH);
end.
关于delphi - 资源管理器在CreateProcess Hook 上崩溃,我们在Stack Overflow上找到一个类似的问题:https://stackoverflow.com/questions/24644075/